Ever get notified about issues, bugs and problems by people – but also have the data in elasticsearch.
There is a tool called elastalert that can alert on data in your elasticsearch cluster.
Warning Elastalert 2 only supports recent things…
Elasticsearch 6 is not supported, only:
Elasticsearch 7.x or 8.x, or OpenSearch 1.x or 2.xElastalert 2 only supports python3.11.
If you are on ES < 7 and constrainted to an earlier python version you may want to look at the Elastalert original docs that used to be maintained by the company yelp.
Quick Setup
As always use the source docs as your first port of reference.
Create Config and Rules
mkdir elastalert
vim config.yaml
mkdir rules
cd rules
touch my-rule.ymlso the directory looks like this:
.
├── config.yaml
└── rules
└── my-rule.yaml
copy the content from https://elastalert2.readthedocs.io/en/latest/running_elastalert.html#as-a-docker-container as a reference and then update the settings as needed.
Installing Elastalert
In this example the python package will be used. In the docs there are options for docker and kubernetes.
python3.11 -m venv env
source env/bin/activate
pip install elastalert2Optionally create Elastalert Index
Create an index for elastalert to save metadata:
elastalert-create-indexIt must be on the same index elastalert is pointing to?
Testing your Rule
Run:
elastalert-test-rule rules/my-rule.yamlRunning Elastalert 2
One can run elastalert directly:
python -m elastalert.elastalert --verbose --rule rules/my-rule.yamlor via a supervisor program:
[program:elastalert]
command=/home/ubuntu/elastalert/env/bin/elastalert --verbose
directory=/home/ubuntu/elastalert
autostart=true
ausorestart=true
stopsignal=INT
stopasgroup=true
killasgroup=true
startsecs=15
stderr_logfile=/home/ubuntu/supervisor/log/elastalert.out.log
stderr_logfile_maxbytes=5MB